How can I change the encryption key used by my Amazon RDS DB instance?

Last updated: 2022-04-29

How can I update the encryption key used by my Amazon Relational Database Service (Amazon RDS) DB instance so that it uses a new encryption key?


You can't change the encryption key used by an Amazon RDS DB instance. However, you can create a copy of the RDS DB instance, and then choose a new encryption key for the copy.
Note: Data in unlogged tables might not be restored using Snapshots. For more information, review Best practices for working with PostgreSQL.

To create a copy of an RDS DB instance with a new encryption key, follow these steps:

  1. Create a manual snapshot of your RDS DB instance.
  2. Open the Amazon RDS console and then choose Snapshots from the navigation pane.
  3. Choose your snapshot, choose Actions, and then select Copy Snapshot.
    Note: Be sure to choose Enable encryption.
  4. For AWS KMS Key, choose the new encryption key that you want to use.
  5. Restore the copied snapshot.

The new RDS DB instance uses your new encryption key.

Confirm that your new database has all necessary data and that your application is using the new database. When you no longer need the old RDS DB instance, you can delete the instance.

Did this article help?

Do you need billing or technical support?